RFR: 8326643: JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message [v4]
Prasadrao Koppula
pkoppula at openjdk.org
Wed Mar 20 09:36:19 UTC 2024
On Wed, 20 Mar 2024 09:25:35 GMT, Sibabrata Sahoo <ssahoo at openjdk.org> wrote:
>> Thanks for the review, in the comments I mentioned that, this call sends a dummy change_cipher_spec (CCS) record. I hope, It explains why we are calling it here.
>
> Will it produce 2 ChangeCipherSpec record. One after HRR and other after SH?
Yes, the server produces 2 CCS records in the case of HRR. According to RFC:
"Either side can send change_cipher_spec at any time during the handshake, as they must be ignored by the peer, but if the client sends a non-empty session ID, the server MUST send the change_cipher_spec as described in this
appendix."
https://datatracker.ietf.org/doc/html/rfc8446#appendix-D.4
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18372#discussion_r1531754373
More information about the security-dev
mailing list